Lucene search

K
ibmIBM7A2D893F2FE7F77348033ABAB887687C87DB87D5D3A49EEC764B9B3146F2E94A
HistoryJun 16, 2018 - 9:48 p.m.

Security Bulletin: IBM Security Guardium is affected by Sweet32: Birthday attacks on 64-bit block ciphers in TLS (CVE-2016-2183)

2018-06-1621:48:42
www.ibm.com
63

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Summary

OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the in the Triple-DES on 64-bit block cipher, used as a part of the SSL/TLS protocol. This vulnerability is known as the SWEET32 Birthday attack. IBM Security Guardium has fixed this vulnerability

Vulnerability Details

CVEID: CVE-2016-2183**
DESCRIPTION:OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the in the Triple-DES on 64-bit block cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.**
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116337&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Security Guardium V8.2

IBM Security Guardium V 9, 9.1, 9.5

IBM Security Guardium V10, 10.0.1, 10.1, 10.1.2

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Security Guardium | 8.2| End of Service Sept 30 2016, Full Extended Support customers must contact L2 support for more information
IBM Security Guardium | 9x| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%2BSecurity&product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_9.0p6022_SecurityUpdate&includeSupersedes=0&source=fc
IBM Security Guardium | 10x| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%2BSecurity&product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard_10.0p6022_SecurityUpdate&includeSupersedes=0&source=fc

Workarounds and Mitigations

None

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Related for 7A2D893F2FE7F77348033ABAB887687C87DB87D5D3A49EEC764B9B3146F2E94A